CWE-79

High likelihood

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Parent: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

45,114 vulnerabilities with CWE-79
CVE-2025-9496 MEDIUM
Enable Media Replace <= 4.1.6 - Authenticated Stored Cross-Site Scripting via file_modified Shortcode
CVSS 6.4
CVE-2025-11197 MEDIUM
Draft List <= 2.6.1 - Authenticated Stored Cross-Site Scripting via Shortcode Attributes
CVSS 6.4
CVE-2025-9560 MEDIUM
Colibri Page Builder <1.0.334 - XSS
CVSS 6.4
CVE-2025-9550 MEDIUM
Facets < 2.0.10 and 3.0.0-3.0.1 - Cross-Site Scripting
CVSS 6.1
CVE-2025-60880 HIGH
Bagisto 2.3.6 - Authenticated Stored Cross-Site Scripting via SVG File Upload
CVSS 8.3
CVE-2025-60308 MEDIUM
code-projects Simple Online Hotel Reservation System 1.0 - XSS
CVSS 4.1
CVE-2025-60869 HIGH
Publii CMS v0.46.5 - Stored Cross-Site Scripting via Site Description and Footer Follow Buttons
CVSS 7.3
CVE-2025-60378 HIGH
RISE Ultimate Project Manager & CRM - Stored HTML Injection
CVSS 8.1
CVE-2025-61319 MEDIUM
yogeshojha/rengine < 2.2.0 - Stored Cross-Site Scripting in Vulnerabilities Module
CVSS 6.1
CVE-2025-62239 MEDIUM
Liferay DXP 2023.Q3.1-2023.Q3.8 & 2023.Q4.0-2023.Q4.5 - Authenticated Stored XSS in Workflow Process Builder
CVSS 5.4
CVE-2025-62238 MEDIUM
Liferay DXP 2023.Q3.1-2023.Q3.8 & 7.4.3.21-7.4.3.111 - Authenticated Stored XSS via Account Name
CVSS 5.4
CVE-2025-62237 MEDIUM
Liferay DXP 2023.Q3.1-2023.Q3.8 and 7.4.3.8-7.4.3.111 - Stored Cross-Site Scripting in Commerce View Order Page
CVSS 5.4
CVE-2025-7781 MEDIUM
WP JobHunt <= 7.6 - Authenticated Stored Cross-Site Scripting via cs_job_title Parameter
CVSS 6.4
CVE-2025-52624 MEDIUM
HCL AION 2.0 - Script Allowlist Bypass via Content-Security-Policy Misconfiguration
CVSS 5.4
CVE-2025-11189 HIGH
Kiwire - Reflected Cross-Site Scripting via Login-URL Parameter
CVSS 7.3
CVE-2025-41089 MEDIUM
Xibo CMS < 4.2.2 - Cross-Site Scripting via Template Configuration Name Field
CVE-2025-41088 MEDIUM
Xibo CMS < 4.2.2 - Stored Cross-Site Scripting via Template Text Field
CVE-2025-25018 HIGH
Kibana 7.0.0-8.18.8 - Stored Cross-Site Scripting
CVSS 8.7
CVE-2025-25017 HIGH
Kibana 7.0.0-8.18.7 - Cross-Site Scripting
CVSS 8.2
CVE-2025-40640 MEDIUM
Energy CRM v2025 - Stored Cross-Site Scripting via customerName_0 Parameter
CVSS 5.4
CVE-2025-11570 MEDIUM
drupal-pattern-lab/unified-twig-extensions - Cross-Site Scripting in Link Function
CVSS 4.6
CVE-2025-11450 MEDIUM
ServiceNow AI Platform - Reflected Cross-Site Scripting
CVE-2025-11449 MEDIUM
ServiceNow AI Platform - Reflected Cross-Site Scripting
CVE-2025-62240 MEDIUM
Liferay Digital Experience Platform 2023.Q3.1-2023.Q3.7 - Cross-Site Scripting via Calendar Event User Name Fields
CVSS 5.4
CVE-2025-61773 HIGH
pyload-ng < 0.5.0b3.dev91 - Cross-Site Scripting via Captcha Script Endpoint and Click'N'Load Blueprint
CVSS 8.1
Details
Vulnerabilities 45,114
Exploit Likelihood High